[tech] Yunolan has been added to Winadmin

Dylan Hicks dylanh333 at ucc.gu.uwa.edu.au
Tue Nov 28 23:28:41 AWST 2023 

Hi All,

Just an FYI, I have now added Yunolan to Winadmin, following a request on #ucc - "Any chance I can get local admin on the UCC PC's? Ive bugged Cormac 5 times today while installing node".
[BLU] and [BRD] also confirmed this was okay, before I made the change.

In terms of how I did this, I deliberately did not log into Samson as `root` and use ye old `samba-tool` cowboy method.
Instead, I went with the much more painful (but secure) approach of using LDAP with `ldapsearch` and `ldapodify` - authenticated as me via kerberos - to update the member list of `winadmin`.

Steps to do this as follows:
 * Get a Kerberos (ticket-generating-)ticket (TGT), if you don't already have one:
 * Run `klist` to see what kerberos tickets you currently possess. * Run `kinit` to get a fresh TGT. * Get distinguished name (dn) of the target group:
 * Query: `ldapsearch -H 'ldap://ad.ucc.gu.uwa.edu.au' '(sAMAccountName=winadmin)' dn` * Result: "CN=winadmin,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au" * Get dn of target user:
 * Query: `ldapsearch -H 'ldap://ad.ucc.gu.uwa.edu.au' '(sAMAccountName=yunolan)' dn` * Result: "CN=yunolan,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au" * Write an LDIF (script?) to add Yunolan as a member, e.g. "~/add-yunolan-to-winadmin.ldif", using the below format (see `man ldif`):
```
dn: CN=winadmin,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au
changetype: modify
add: member
member: CN=yunolan,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au
``` * Modify the "winadmin" group with the above LDIF script:
 * `ldapmodify -H 'ldap://ad.ucc.gu.uwa.edu.au' -f add-yunolan-to-winadmin.ldif` * Check that Yunolan now shows as a member:
 * LDAP Query: `ldapsearch -H 'ldap://ad.ucc.gu.uwa.edu.au' '(sAMAccountName=winadmin)' | less` * AD integration on Motsudo:
 * Run: `id yunolan` * If "winadmin" doesn't show up, clear the cached AD info SSSD has on Yunolan with `sudo sss_cache -u yunolan` * Run `id yunolan` again
Is this harder? Yes... but only because the `ldap(search|modify)` tooling kinda sucks - there are better tools out there that let you run things like `Add-ADGroupMember -Identity winadmin -Members yunolan` and call it a day, but that particular example doesn't work with SAMBA (it needs Active Directory Web Services >:( ).
in either case, I'd say this is a better and much more secure practice than running `samba-tool` as root on Samson.

--
Kind regards,
Dylan Hicks [333]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20231128/7a91111c/attachment.htm>

More information about the tech mailing list